Hi Eric, I mostly agree with your analysis (other than maybe we'd be better off to more precisely distinguish https vs. tls, as we figure this out.
Just one clarification: On 02/11/2019 19:58, Eric Rescorla wrote: > > >> ISTM that requiring day-1 defence against active attacks was to an >> extent responsible for the lack of deployment >> of IPsec and DNSSEC, > > I don't understand what DNSSEC would do if not defend against active > attack. What I meant was that the dependency on the parent for DNSSEC was driven by that requirement for preventing active attacks on day-1, but the dependency on the parent making changes has also been a serious obstacle to deployment. In contrast, things like dkim, dmarc and mta-sts come with testing modes and reporting, which I think helps deployment. What I'm asking is that we consider those kinds of make-deployment-easier features as well when figuring out adot (regardless of whether or not we end up with an opportunistic approach). Cheers, S.
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
